JP6774881B2 - Business processing system monitoring device and monitoring method - Google Patents

Description

The present invention relates to a business processing system monitoring device and a monitoring method.

Malicious malicious programs (malware) such as computer viruses, spyware, and bot programs that pose threats such as information leakage and unauthorized access are increasing. To protect your system or network from malware threats, you first need to detect malware.

Here, there are various methods for detecting malware, but there is a problem that detection takes time depending on the method. In addition, there is a problem that the detection accuracy is lowered for advanced malware. Furthermore, in recent years, "targeted attacks" that skillfully utilize advanced malware to invade the networks of specific government offices, companies, and organizations to steal confidential information or destroy systems have become a major security threat. ..

In order to minimize the damage caused by these malware and targeted attacks, it is necessary to have a mechanism to control infection. In other words, it detects the activity of infecting other terminals in the network from the initially infected terminal by exploiting software vulnerabilities, analyzes the range of influence of the attack, decides the countermeasure based on the analysis result, and takes the determined countermeasure. A mechanism such as implementation is required.

In particular, analysis of the extent of impact is necessary to realize effective and efficient attack response. The analysis of the range of influence is to identify terminals that may be damaged by attacks and terminals that may be damaged in the future based on the detection results and the mission (business content) performed by the system. That is.

In Patent Document 1, a plurality of attack sequences for executing a cyber attack are held as attack scenarios, and by analyzing whether or not the current event matches the attack scenario, attacks and damages that have not yet been detected by the detection device are performed. Extract the receiving terminals. Then, in Patent Document 1, countermeasures stored in the countermeasure database are implemented against the extracted attacks.

In Patent Document 2, a terminal that may be affected by the terminal is specified based on the terminal that is detected to be attacked. In Patent Document 2, a terminal having a history of accessing a reference terminal through a network and a terminal having a history of being accessed from the reference terminal are specified as terminals that may be affected.

In Non-Patent Document 1, which resource (file process) is contaminated in a terminal infected with malware is estimated by a Bayesian network. In Non-Patent Document 1, it is estimated whether or not the resource has been contaminated based on the timing of the interaction (file read / write, etc.) between the resource whose contamination has been confirmed and the resource to be estimated.

Japanese Unexamined Patent Publication No. 2015-121968 International Publication No. 2015/140843

Yuan Yang, et al, “Identifying Intrusion Infections via Probabilistic Inference on Bayesian Network,” In Proc. Of DIMVA2015, July, 2015.

In the prior art, in a business processing system including a plurality of terminals, it is difficult to accurately identify a terminal damaged by an arbitrary attack across a plurality of terminals.

In Patent Document 1, since the range of influence is specified according to the attack scenario, it is not possible to respond to an attack not included in the attack scenario. In Patent Document 2, the presence or absence of influence is analyzed using only the communication status, and the activity status of each terminal, the system configuration, and the mission of the business system to be defended are not considered at all. Therefore, in Patent Document 2, it is difficult to specify the range of influence with high accuracy.

Note that Non-Patent Document 1 is a technique for identifying a damaged resource in a single terminal, and does not correspond to a business processing system including a plurality of terminals.

The present invention has been made in view of the above problems, and an object of the present invention is a business processing system monitoring device and monitoring capable of detecting an attack on a business processing system including a plurality of computers and analyzing the influence of the attack. To provide a method.

A business processing system monitoring device according to one aspect of the present invention in order to solve the above problems is a device that monitors a business processing system including a plurality of computers, and is executed by a plurality of computers in connection with the business processing. It depends on the activity management unit that manages the activity and the importance of the activity, the detection unit that detects attacks on each computer, the importance of the information processing activity executed by each computer, the system configuration of each computer, and the detection unit. It is provided with an impact analysis unit that analyzes the impact of an attack on any one or more of the computers based on the detection result.

The impact analysis unit detects the first computer in which the attack was detected and the second computer that has not been detected but may be attacked, and the probability that the second computer is being attacked. Can also be calculated.

According to the present invention, the influence of an attack on a computer can be analyzed based on the importance of the information processing activity executed by each computer, the system configuration of each computer, and the detection result of the attack.

It is explanatory drawing which shows the outline of the whole system including a business processing system and a mission guarantee device as a "business processing system monitoring device". It is a figure which shows the structure of the mission guarantee device. It is a figure which shows the scenario of the influence analysis. It is a figure which shows the record example of a mission-related activity database. It is a figure which shows the record example of the detection database. It is a figure which shows the record example of the activity content database. It is a figure which shows the record example of the system configuration database. It is a figure which shows the record example of the vulnerability information database. It is a figure which shows the record example of a network connectivity database. It is a figure which shows the record example of the attack pattern database. It is a figure which shows the record example of the relational network database. It is a figure which shows the record example of the damage estimation / damage prediction database. It is a figure which shows the processing outline of the influence analysis part. It is a figure which shows the processing procedure of the damage estimation relation network construction part. It is a figure which shows the processing procedure of the damage prediction relation network construction part. It is a figure which shows the example of the screen which displays the influence analysis result. It is explanatory drawing about the synchronization of suspicious activity.

Hereinafter, embodiments of the present invention will be described with reference to the drawings. The business processing system monitoring device according to the present embodiment is a terminal or an attack that is likely to be an attack target based on the mission in the business processing system 50 to be defended, the activity status of each terminal 51, and the information on the system configuration of each terminal. Identify terminals that have much in common with the damaged terminal.

The business processing system monitoring device of the present embodiment has an impact analysis unit that analyzes the impact of an attack on the business processing system. The Impact Analysis Department considers damage estimation terminals that may have been damaged by attacks and damage predictions that are not currently attacked but may be attacked in the future from among multiple terminals included in the business processing system. Identify the terminal. Further, the business processing system monitoring device of the present embodiment includes a function of detecting an attack, a function of deriving a countermeasure against the attack, and a function of implementing the countermeasure.

The business processing system monitoring device of the present embodiment realizes effective countermeasures against an attack by grasping the mission (business content) performed in the business processing system and analyzing the influence when an attack occurs. According to the business processing system monitoring device of the present embodiment, the effects of targeted attacks and malware activities can be appropriately analyzed, which can lead to effective countermeasures.

The first embodiment will be described with reference to FIGS. 1 to 17. FIG. 1 is a schematic view of an entire system including a mission guarantee device 10 as an example of a “business processing system monitoring device” and a business processing system 50 to be defended. FIG. 2 shows a configuration example of the mission guarantee device 10.

The mission guarantee device 10 is connected to the terminals 51A to 51F in the business processing system 50 via the communication network 40. Further, the mission guarantee device 10 is also connected to a network sensor 20 that monitors the communication network 40. The mission guarantee device 10 is connected to a terminal sensor 30 that monitors the system terminals 51A to 51F, respectively, via the communication network 40 and the system terminals 51A to 51F.

In this embodiment, analysis and countermeasures when an attack is detected in three system terminals 51A to 51C in a business processing system 50 composed of six system terminals 51A to 51F will be described. The method of analyzing the influence of the attack on the remaining three system terminals 51D to 51F will be described in detail. System terminals 51A to 51F are examples of "computers". Hereinafter, the system terminal is abbreviated as "terminal".

In the following, the terminals for which the damage due to the attack is definite are the damage-determined terminals 51A to 51C, and the terminals that may have been damaged by the attack are the damage estimation terminals 51D, which may be damaged in the future. The terminal is called a damage prediction terminal 51E. The terminal 51F is a terminal unrelated to the attack. When the terminals 51A to 51F are not particularly distinguished, they are referred to as terminals 51.

(System overview)

The mission guarantee device 10, for example, derives mission-related activities (200), detects an attack (210), analyzes the effects of an attack (220), derives countermeasures based on the analysis results (230), and implements countermeasures (240). It is responsible for the five processes.

Further, the mission guarantee device 10 includes a mission-related activity DB 100, a detection DB 110, an activity content DB 120, a system configuration DB 130, a vulnerability information DB 140, a network connectivity information DB 150, an attack pattern DB 160, a knowledge DB 170, a related network DB 180, and damage estimation. It is equipped with a damage prediction DB 190. In the figure, the phrase "DB" may be omitted for display.

The mission guarantee device 10 has two operation phases. One is the phase of deriving mission-related activities. In the mission-related activity derivation phase, mission-related activities in the business processing system 50 are derived. The other is the phase of dealing with attacks. The attack response phase is carried out after the completion of the mission-related activity derivation phase to detect attacks and respond to attacks.

The mission-related activity out-licensing is performed by the mission-related activity out-licensing unit 200. Here, the mission-related activity is the behavior of the terminal 51 related to the business performed by the business processing system 50.

As shown in FIG. 2, the mission-related activity derivation unit 200 includes, for example, a mission-related activity input support unit 201 and a normal profile creation unit 202. The mission-related activity input support unit 210 is an interface for the administrator H1 of the business processing system 50 to input information related to the mission-related activity.

The normal profile creation unit 220 learns the normal behavior of the terminal 51 in the business processing system 50 based on the information from the network sensor 20 and each terminal sensor 30. The mission-related activities defined by the mission-related activity input support unit 210 and the normal profile creation unit 220 are stored in the mission-related activity database 100. Hereinafter, the database may be abbreviated as DB.

The detection unit 210 detects an attack on the terminal 51. The detection unit 210 detects an attack on the terminal 51 based on the information from the network sensor 20 and the terminal sensor 30. An example of a specific detection method will be given. For example, the detection unit 210 considers the behavior that is not stored in the mission-related activity DB 100 among the terminal behavior information received from both the sensors 20 and 30 as a suspicious activity. For example, the detection unit 210 regards a terminal 51 that performs a certain number or more of suspicious activities within a certain time as a suspicious terminal. The detection unit 210 detects an attack when communication is occurring between suspicious terminals. The above detection method is an example, and the detection unit 210 may detect an attack by another method. The detection result of the detection unit 210 is stored in the detection DB 110.

The impact analysis of the attack is performed by the impact analysis unit 220. The impact analysis unit 220 derives the probability that a certain terminal 51 is a damage estimation terminal and the probability that it is a damage prediction terminal, respectively. As will be described later, the impact analysis unit 220 uses the mission-related activity DB 100, detection DB 110, activity content DB 120, system configuration DB 130, vulnerability information DB 140, network connectivity DB 150, attack pattern DB 160, and knowledge DB 170 as inputs.

Information collected from the network sensor 20 and each terminal sensor 30 is stored in the activity content DB 120. The system configuration DB 130 stores the system configuration of each terminal 51 in the business processing system 50. Vulnerability information DB 140 stores information on vulnerabilities collected from the outside. The network connectivity DB 150 stores information regarding whether or not communication is possible between the terminals 51. The attack pattern DB 160 stores attack patterns that have occurred in the past in the business processing system 50. For example, when a certain terminal is attacked, the rate at which another specific terminal is attacked is stored in the attack pattern DB 160 as an attack pattern. Information that contributes to impact analysis is stored in the knowledge DB 170. For example, information on recent attack trends and the like is stored in the knowledge DB 170.

The impact analysis unit 220 includes a damage estimation relationship network construction unit 221, a damage prediction relation network construction unit 222, an impact analysis user interaction unit 223, and a probability calculation unit 224.

The damage estimation relationship network construction unit 221 analyzes the probability that a certain terminal 51 is a damage estimation terminal from the viewpoint of the relationship with other terminals, and stores it in the relationship network DB 180 in the form of a Bayesian network.

The damage prediction relationship network construction unit 222 analyzes the probability that a certain terminal 51 is a damage prediction terminal from the viewpoint of the relationship with other terminals, and stores it in the relationship network DB 180 in the form of a Bayesian network.

The impact analysis user interaction unit 223 visualizes the Bayesian network stored in the related network DB 180 and presents it to the administrator H2 who manages the mission guarantee device 10. The administrator H2 modifies the elements of the Bayesian network via the impact analysis user interaction unit 223.

The probability calculation unit 224 calculates the probability that each terminal 51 is a damage estimation terminal and the probability that each terminal is a damage prediction terminal based on the modified Bayesian network, and outputs the calculation result to the damage estimation / damage prediction DB 190. Store.

The countermeasure derivation unit 230 performs the derivation of the countermeasure against the attack. The countermeasure derivation unit 230 determines the countermeasure for each terminal 51 and the priority for implementing the countermeasure based on the contents of the damage estimation / damage prediction DB 190. For example, a high priority is set for a terminal having a high probability of being a damage estimation terminal / damage prediction terminal or a terminal having a high influence on a mission. The countermeasures on each terminal may be determined based on a list of countermeasure candidates created in advance. Countermeasures include, for example, blocking the terminal 51 from the network 40, forcibly shutting down the terminal 51, limiting the partner terminal with which the terminal 51 can communicate, and the like. Furthermore, in the case of a damage prediction terminal, it may be switched to a backup terminal prepared in advance before being attacked.

The coping is carried out by the coping implementation unit 240. The coping implementation unit 240 works on the communication network 40 and the terminal sensor 30 according to the determination of the coping derivation unit 230 to implement the selected countermeasure.

The network sensor 20 monitors the communication of the communication network 40 and records which terminal 51 is communicating with which terminal. When the mission guarantee device 10 is in the mission-related activity derivation phase, the record of the network sensor 20 is normally transmitted to the mission creation unit 220. When the mission guarantee device 10 is in the attack detection phase, the record of the network sensor 20 is stored in the activity content DB 120.

The terminal sensor 30 is installed in each terminal 51, and detects and records the behavior of each terminal 51. The terminal sensor 30 records, for example, file access, communication, process activation, etc. of each terminal 51. When the mission guarantee device 10 is in the mission-related activity derivation phase, the record of the terminal sensor 30 is transmitted to the normal mission creation unit 220. When the mission guarantee device 10 is in the attack detection phase, the record of the terminal sensor 30 is stored in the activity content DB 120.

The communication network 40 is, for example, a public network such as the Internet, WAN (World Area Network), LAN (Local Area Network), mobile phone, and PHS. The communication network 40 connects the mission guarantee device 10, each terminal 51 in the business processing system 50, and the network sensor 20.

(Hardware configuration)

FIG. 2 shows the hardware configuration of the mission guarantee device 10. The mission guarantee device 10 is configured as a computer including, for example, a CPU (Central Processing Unit) 11, a memory 12, an external storage device 13, a user interface unit 14, a communication interface 15, and a bus 16. Similarly, each terminal 51 and the network sensor 20 are configured as a computer including a CPU, a memory, and the like.

The CPU 11 realizes each predetermined function by executing a computer program stored in the memory 12. The predetermined functions are a mission-related activity derivation unit 200, a detection unit 210, an impact analysis unit 220, a coping derivation unit 230, and a coping implementation unit 240.

The memory 12 stores a computer program necessary for realizing each of the above-mentioned functions. The computer program may be stored in the external storage device 13, the computer program may be read from the external storage device 13 to the memory 12, and the CPU 11 may execute the computer program.

The external storage device 13 is composed of, for example, a relatively large-capacity non-volatile storage medium such as an HDD (Hard Disk Drive) or a flash memory device. The external storage device 13 stores each DB 100 to 190 used in the mission guarantee device 10.

The user interface unit 14 is a device for exchanging information between the administrator H2 and the mission guarantee device 10, and includes an information input unit and an information output unit. The information input unit includes, for example, a keyboard, a mouse, a touch panel, a voice input device, and the like. The information output unit includes, for example, a display, a printer, and a voice synthesizer.

The mission guarantee device 10 may also be provided with an interface for inputting / outputting information to / from a recording medium such as a USB (Universal Serial Bus) memory.

The communication interface 15 connects the mission guarantee device 10 to the communication network 40.

The bus 16 connects the CPU 11, the memory 12, the external storage device 13, the user interface unit 14, and the interface 15 to each other, and realizes bidirectional communication between the devices 11 to 15.

(Impact analysis scenario)

Figure 3 shows the impact analysis scenario. In FIG. 3, the reference numerals “51” at the beginnings of the terminals 51A to 51F are omitted. In this scenario, it is assumed that the terminals 51A, 51B, 51C are detected by the detection unit 210 when the terminals 51A, 51B, 51C, and 51D are damaged by the targeted attack. At this point, no attack on the terminal 51D has yet been detected. The terminals 51A to 51C in which the attack is detected can be classified as the damage confirmed terminal 52. The terminal 51D that has been attacked but has not been detected can be classified as the damage estimation terminal 53.

In this scenario, the damage of the targeted attack will extend to the terminal 51E in the future. The terminal 51E that is not currently attacked but may be attacked in the future can be called a damage prediction terminal 54. The impact analysis unit 220 is the business processing system 50.

Further, in this scenario, the terminal 51F has not been damaged at present and will not be damaged in the future. The terminal 51F, which is not likely to be attacked now or in the future, can be classified as an unrelated terminal 55.

The impact analysis unit 220 identifies the damage determination terminal 52, the damage estimation terminal 53, the damage prediction terminal 54, and the unrelated terminal 55 from each terminal 51 constituting the business processing system 50.

(Structure of various DBs)

FIG. 4 shows a configuration example of a mission-related activity DB 100 that manages mission-related activities. Each record of this DB100 shows the mission content and its importance. The DB 100 manages, for example, an identifier (ID) 101, an activity terminal 102, an activity type 103, an activity content 104, and a mission importance 105.

Here, the ID 101 is an identifier that uniquely identifies each mission. The activity terminal 102 is an identifier of a terminal that executes a mission. Activity type 103 indicates the type of mission. Activity content 104 indicates a specific activity content. Mission importance 105 indicates the importance of the mission. The mission importance can be managed in three stages, for example, L (Low), M (Middle), and H (High). Not limited to this, the importance of the mission may be managed in two stages, four stages or more, or may be expressed numerically.

A value of "N / A" can be set for the activity type 103 and the activity content 104. When "N / A" is set for the activity type 103 and the activity content 104, the value of the mission importance 105 is set for all the activities specified by the activity terminal 102.

Hereinafter, an example shown in FIG. 4 will be described. In the record of "ID = 1" shown at the top of the DB 100, the activity terminal 102 has "terminal 51A", the activity type 103 has "internal communication", and the activity content 104 has "terminal 51A → terminal 51B: 80" ( "80" is the port number of the communication destination), and "M" is set for the mission importance 105.

In the record of "ID = 2", "terminal A" is set for the activity terminal 102, "WEB communication" is set for the activity type 103, "terminal A → abcd" is set for the activity content 104, and "M" is set for the mission importance 105. To.

In the record of "ID = 3", "terminal B" is set for the activity terminal 102, "process" is set for the activity type 103, "a.exe" is set for the activity content 104, and "M" is set for the mission importance 105. ..

In the record of "ID = 4", "terminal B" is set for the activity terminal 102, "process" is set for the activity type 103, "b.exe" is set for the activity content 104, and "M" is set for the mission importance 105. ..

For the record of "ID = 5", "Terminal B" is set for activity terminal 102, "Port open" is set for activity type 103, and "b.exe: 80" is set for activity content 104 (b.exe listens on port 80). (Indicating to do), "H" is set to mission importance 105.

In the record of "ID = 6", "terminal C" is set for the activity terminal 102, "process" is set for the activity type 103, "c.exe" is set for the activity content 104, and "L" is set for the mission importance 105. ..

In the record of "ID = 7", "terminal D" is set for the activity terminal 102, "N / A" is set for the activity type 103, "N / A" is set for the activity content 104, and "H" is set for the mission importance 105. ing.

In the record of "ID = 8", "terminal E" is set for the activity terminal 102, "port open" is set for the activity type 103, "b.exe: 80" is set for the activity content 104, and "H" is set for the mission importance 105. Will be done.

In the record of "ID = 9", "terminal F" is set for the activity terminal 102, "N / A" is set for the activity type 103, "N / A" is set for the activity content 104, and "L" is set for the mission importance 105. ing.

FIG. 5 is a configuration example of the detection DB 110 that manages the detected attack. Each record of the DB 110 records an ID 111, a detection time 112, a detection terminal 113, and a detection reason 114.

ID111 is an identifier that uniquely identifies a record in the DB 110. The detection time 112 is the time when the attack is detected. The detection terminal 113 is an identifier that identifies the terminal to be detected. When a plurality of terminals 51 are detected at one time, the identifiers of all the terminals are described in the detection terminal 113. The detection reason 114 is a reason for detecting an attack.

Hereinafter, some record examples of FIG. 5 will be described. In the record of "ID = 1", the detection time 112 is "2015/12/16 10:00:00", the detection terminal 113 is "terminals A, B, C", and the detection reason 114 is "A, B, C,". The number of suspicious activities of the three terminals exceeds the threshold value "is set. This detection record matches the scenario shown in FIG.

In the record of "ID = 2", "2016/12/16 10:00:00" is set at the detection time 112, "terminal D" is set at the detection terminal 113, and "known malware activation" is set at the detection reason 114. .. In the record of "ID = 3", "2017/12/16 10:00:00" is set at the detection time 112, "terminal E" is set at the detection terminal 113, and "known malware activation" is set at the detection reason 114. ..

FIG. 6 shows a configuration example of an activity content DB 120 that manages the activities of each terminal 51. Each record of the DB 120 records the activity content of each terminal 51 detected by the network sensor 20 or the terminal sensor 30. That is, each record records ID 121, recording time 122, activity terminal 123, activity type 124, activity content 125, and non-mission activity flag 126.

ID 121 is an identifier that uniquely identifies a record in the DB 120. The recording time 122 is the time when the activity of the terminal 51 is recorded. The activity terminal 123 is an identifier of the terminal that is the subject of the activity. The activity type 124 is a type of activity. Activity content 125 is the activity content carried out.

The non-mission activity flag 126 is a flag indicating whether the detected activity is an activity not included in the mission-related activity DB 100. When the activity content 125 is an activity not described in the mission-related activity DB 100, "Y" is set in the flag value. On the other hand, when the activity content 125 is an activity described in the mission-related activity DB 100, "N" is set as the flag value. An activity in which "Y" is set in the flag value indicates that the activity is not normally performed.

An example of the record of FIG. 6 will be described. For the record of "ID = 1", "2015/12/16 09:00:00" at the recording time 122, "terminal A" at the activity terminal 123, "process" at the activity type 124, and "mal" at the activity content 125. ".exe", "Y" is set to the non-mission activity flag 126.

For the record of "ID = 2", "2015/12/16 09:10:00" at the recording time 122, "terminal A" at the activity terminal 123, "internal communication" at the activity type 124, and "internal communication" at the activity content 125. "Terminal A-> Terminal B: 80", "N" is set in the non-mission activity flag 126.

For the record of "ID = 3", "2015/12/16 09:10:00" at the recording time 122, "terminal A" at the activity terminal 123, "internal communication" at the activity type 124, and "internal communication" at the activity content 125. "Terminal A-> Terminal D: 80", "N" is set in the non-mission activity flag 126.

For the record of "ID = 4", "2015/12/16 09:10:00" at the recording time 122, "terminal A" at the activity terminal 123, "port open" at the activity type 124, and "port open" at the activity content 125. "mal.exe: 100", "Y" is set in the non-mission activity flag 126.

For the record of "ID = 5", "2015/12/16 09:20:00" at the recording time 122, "terminal B" at the activity terminal 123, "process" at the activity type 124, and "mal" at the activity content 125. ".exe", "Y" is set in the non-mission activity flag 126.

For the record of "ID = 6", "2015/12/16 09:30:00" at the recording time 122, "terminal B" at the activity terminal 123, "internal communication" at the activity type 124, and "internal communication" at the activity content 125. "Terminal B-> Terminal C: 80", "N" is set in the non-mission activity flag 126.

For the record of "ID = 7", "2015/12/16 09:30:00" at the recording time 122, "terminal B" at the activity terminal 123, "port open" at the activity type 124, and "port open" at the activity content 125. "mal.exe: 100", "Y" is set in the non-mission activity flag 126.

For the record of "ID = 8", "2015/12/16 09:40:00" at the recording time 122, "terminal C" at the activity terminal 123, "process" at the activity type 124, and "mal" at the activity content 125. ".exe", "Y" is set in the non-mission activity flag 126.

For the record of "ID = 9", "2015/12/16 09:50:00" at the recording time 122, "terminal C" at the activity terminal 123, "internal communication" at the activity type 124, and "internal communication" at the activity content 125. "Terminal C-> Terminal D: 80", "N" is set in the non-mission activity flag 126.

The record of "ID = 10" is "2015/12/16 10:00:00" at the recording time 122, "terminal C" at the activity terminal 123, "port open" at the activity type 124, and "mal" at the activity content 125. .exe: 100 "," Y "is set in the non-mission activity flag 126.

For the record of "ID = 11", "2015/12/16 09:30:00" at the recording time 122, "terminal D" at the activity terminal 123, "process" at the activity type 124, and "mal" at the activity content 125. ".exe", "Y" is set in the non-mission activity flag 126.

For the record of "ID = 12", "2015/12/16 09:40:00" at the recording time 122, "terminal E" at the activity terminal 123, "port open" at the activity type 124, and "port open" at the activity content 125. b.exe: 80 "," N "is set in the non-mission activity flag 126.

FIG. 7 shows a configuration example of the system configuration DB 130 that manages the configuration of the terminal 51. Each record of the DB 130 records an OS (operating system) and an APP (application) installed in the terminal 51. This DB 130 is managed by the administrator H2. The administrator H2 can manually input the system configuration information of each terminal 51 into the DB 130. Alternatively, a configuration management program that automatically manages the configuration and reports to the mission guarantee device 10 may be installed in each terminal 51, and the contents of the system configuration DB 130 may be automatically updated. A configuration management program may be provided in the terminal sensor 30.

The system configuration DB 130 records the ID 131, the terminal 132, the asset type 133, and the asset content 134.

ID131 is an identifier that uniquely identifies each record. The terminal 132 is an identifier of the target terminal. Asset type 133 is the type of asset. Asset content 134 indicates the content of the asset. An example record of FIG. 7 will be described.

In the record of "ID = 1", "terminal A" is set in the terminal 132, "OS" is set in the asset type 133, and "OS-1" is set in the asset content 134.

In the record of "ID = 2", "terminal A" is set for the terminal 132, "APP" is set for the asset type 133, and "APP-1" is set for the asset content 134.

In the record of "ID = 3", "terminal B" is set for the terminal 132, "OS" is set for the asset type 133, and "OS-2" is set for the asset content 134.

In the record of "ID = 4", "terminal B" is set for the terminal 132, "APP" is set for the asset type 133, and "APP-1" is set for the asset content 134.

In the record of "ID = 5", "terminal C" is set for the terminal 132, "OS" is set for the asset type 133, and "OS-3" is set for the asset content 134.

In the record of "ID = 6", "terminal C" is set for the terminal 132, "APP" is set for the asset type 133, and "APP-1" is set for the asset content 134.

In the record of "ID = 7", "terminal D" is set for the terminal 132, "OS" is set for the asset type 133, and "OS-1" is set for the asset content 134.

In the record of "ID = 8", "terminal D" is set for the terminal 132, "APP" is set for the asset type 133, and "APP-1" is set for the asset content 134.

In the record of "ID = 9", "terminal E" is set for the terminal 132, "OS" is set for the asset type 133, and "OS-2" is set for the asset content 134.

In the record of "ID = 10", "terminal E" is set for the terminal 132, "APP" is set for the asset type 133, and "APP-1" is set for the asset content 134.

In the record of "ID = 11", "terminal F" is set for the terminal 132, "OS" is set for the asset type 133, and "OS-4" is set for the asset content 134.

In the record of "ID = 12", "terminal F" is set for the terminal 132, "APP" is set for the asset type 133, and "APP-4" is set for the asset content 134.

FIG. 8 is a configuration example of the vulnerability information DB 140 that manages vulnerability information. Each record of this DB 140 records information on vulnerabilities published by various security vendors, public institutions, and the like. Vulnerability information DB 140 records ID 141, vulnerability ID 142, publication date and time 143, and affected APP / OS 144.

ID 141 is an identifier that uniquely identifies each record. Vulnerability ID 142 is a vulnerability identifier given by the organization that published the vulnerability. The publication date and time 143 indicates the date and time when the vulnerability was published. Affected APP / OS 144 indicates operating systems and application programs that are affected by the vulnerability.

An example record of FIG. 8 will be described. In the record of "ID = 1", "CVE-2015-9999" is set for the vulnerability ID 142, "2015/12/10" is set for the release date and time, and "APP-1" is set for the affected APP / OS. ..

In the record of "ID = 2", "CVE-2016-9999" is set for the vulnerability ID 142, "2015/12/11" is set for the release date and time, and "OS-4" is set for the affected APP / OS. ..

FIG. 9 is a configuration example of the network connectivity DB 150 that manages the network connection relationship between the terminals 51. Each record of the network connectivity DB 150 indicates whether or not communication can be performed from one terminal to another. Whether or not communication is possible is determined by whether or not communication is permitted on a firewall or terminal on the communication path. This DB 150 is managed by administrator H1 or administrator H2.

The network connectivity DB 150 includes, for example, an ID 151, a communication source terminal 152, a communication destination terminal 153, and a state 154.

ID 151 is an identifier for uniquely identifying each record. The communication source terminal 152 indicates a terminal that starts communication. The communication destination terminal 153 indicates a terminal that is a communication destination. The state 154 indicates whether or not communication from the communication source terminal 152 to the communication destination terminal 153 is permitted.

An example record of FIG. 9 will be described. In the record of "ID = 1", "terminal A" is set for the communication source terminal 152, "terminal E" is set for the communication destination terminal 153, and "OK" is set for the state 154.

In the record of "ID = 2", "terminal A" is set for the communication source terminal 152, "terminal F" is set for the communication destination terminal 153, and "non" is set for the state 154.

In the record of "ID = 3", "terminal C" is set for the communication source terminal 152, "terminal F" is set for the communication destination terminal 153, and "OK" is set for the state 154.

FIG. 10 shows a configuration example of an attack pattern DB 160 that manages an attack pattern on the business processing system 50. Each record of the DB 160 records an attack pattern obtained from a past case in the business processing system 50. The attack pattern here indicates the rate at which a specific terminal is attacked after one terminal is attacked. The record of the attack pattern DB 160 can be manually input by the administrator H2. Every time an attack occurs in the business processing system 50, the administrator H2 analyzes the damage trend and inputs the analysis result into the attack pattern DB 160. The administrator H2 may input information into the attack pattern DB 160 based on the information of the detection DB 110.

The attack pattern DB 160 includes an ID 161, an initial damage terminal 162, a continuous damage terminal 163, and a probability 164.

ID161 is an identifier for uniquely identifying each record. The initial damage terminal 162 indicates a terminal that has been attacked relatively earlier in the past attack. The continuous damage terminal 163 indicates a terminal that has been attacked relatively later in the past attack. The probability 164 indicates the rate at which the continuous damage terminal 163 was attacked after the initial damage terminal 162 was attacked in the past attack.

An example of a record of FIG. 10 will be described. In the record of "ID = 1", "terminal A" is set for the initial damage terminal 162, "terminal C" is set for the continuous damage terminal 163, and "0.2" is set for the probability 164.

In the record of "ID = 2", "terminal C" is set for the initial damage terminal 162, "terminal E" is set for the continuous damage terminal 163, and "0.4" is set for the probability 164.

In the record of "ID = 3", "terminal A" is set for the initial damage terminal 162, "terminal F" is set for the continuous damage terminal 163, and "0.0" is set for the probability 164.

FIG. 11 shows a configuration example of the related network DB 180. The relationship network DB 180 manages a network showing the relationship between terminals related to the damage estimation terminal and a network showing the relationship between the terminals related to the damage prediction terminal. Each record of the relational network DB 180 records either the calculation result of the damage estimation relational network construction unit 221 or the calculation result of the damage prediction relational network construction unit 222.

The damage estimation relationship network construction unit 221 calculates the relationship network related to the damage estimation terminal. The damage prediction relationship network construction unit 222 calculates the relationship network related to the damage prediction terminal.

The relationship network DB 180 includes an ID 181, a type 182, and a relationship network 183.

ID181 is an identifier for uniquely identifying each record. Type 182 indicates the type of relationship network that is stored. In type 182, a value for identifying whether the network is for deriving the damage estimation terminal or the network for deriving the damage prediction terminal is recorded. The relationship network 183 stores the details of the relationship network between terminals in a graph format. The storage format is not limited to the graph format. Other forms such as tabular form may be used.

An example of the record of FIG. 11 will be described. The record of "ID = 1" is a record of which type 182 is a "damage estimation terminal".

Each node 184 in the relational network 183 indicates a terminal 51. In the circle indicating the node 184, an alphabet for distinguishing the terminal 51 and a numerical value are described.

The numerical value in the node 184 indicates either the "prior probability" in which each terminal 51 is a damage estimation terminal or the "prior probability" in which the damage confirmed terminal. Here, since the record of "ID = 1" is a record related to the damage estimation terminal, the numerical value in the node 184 included in the record indicates the prior probability of the damage estimation terminal.

Here, the prior probability is the probability that a certain terminal is damaged in a situation where the relationship between other terminals is completely excluded. Here, since the terminals A, B, and C (that is, 51A, 51B, and 51C) are damage-determined terminals for which damage due to an attack has already been detected, the prior probabilities of those terminals A, B, and C are 1. It is 0.0. The probabilities that the other terminals D, E, and F (that is, 51D, 51E, and 51F) are damage estimation terminals are 0.6, 0.4, and 0.1, respectively.

The arc 185 expresses a "conditional probability" which is the probability that the terminal at the tip of the arc is damaged, assuming that the terminal at the base of the arc is damaged. For example, pay attention to the arc 185 from the terminal A to the terminal D. In this arc 185, assuming that the terminal A is damaged, the probability that the terminal D is damaged is 0.8.

Since the terminals A to C are damage-determined terminals that are known to be damaged, there is no conditional probability between the terminals A to C.

The record of "ID = 2" indicates a record of which type 182 is a "damage prediction terminal". Each node 187 in the relational network 183 indicates a terminal 51. The numerical value in the node 187 indicates the "prior probability" that each terminal is a damage prediction terminal. In the record of "ID = 2", the prior probability indicates the probability that a certain terminal will be damaged in the future under the condition that the relationship of other terminals is completely excluded.

Since the terminals A to C are damage confirmed terminals, the prior probability is 1.0. The probabilities that terminals D, E, and F are damage prediction terminals are 0.4, 0.6, and 0.1, respectively.

The arc 188 expresses a "conditional probability" which is the probability that the terminal at the tip of the arc will be damaged in the future, assuming that the terminal at the base of the arc is damaged. In the arc 188 from the terminal A to the terminal D, assuming that the terminal A is damaged, the probability that the terminal D will be damaged in the future is 0.8. There is no conditional probability between A and C, which are damage confirmation terminals.

FIG. 12 shows a configuration example of the damage estimation / damage prediction DB 190. Each record of the DB 190 indicates the probability that a certain terminal is a damage confirmation terminal, a probability that it is a damage estimation terminal, and a probability that it is a damage prediction terminal. Probabilities range from 0.0 to 1.0. Since each of the three types of probabilities is calculated independently, the total value of the three probabilities may exceed 1.0. Each record is calculated by the probability calculation unit 224.

The damage estimation / damage prediction DB 190 includes a terminal 191, a damage confirmation terminal 192, a damage estimation terminal 193, and a damage prediction terminal 194.

The terminal 191 indicates a terminal for which the probability is calculated. The damage confirmation terminal 192 indicates the probability that the terminal specified by the terminal 191 is a damage confirmation terminal. The damage estimation terminal 193 indicates the probability that the terminal specified by the terminal 191 is a damage estimation terminal. The damage prediction terminal 194 indicates the probability that the terminal specified by the terminal 191 is a damage prediction terminal.

An example record of FIG. 12 will be described. In the record in which the terminal 191 is "terminal A", "1.0" is set for the damage determination terminal 192, "0.0" is set for the damage estimation terminal 193, and "0.0" is set for the damage prediction terminal 194.

In the record in which the terminal 191 is "terminal B", "1.0" is set for the damage determination terminal 192, "0.0" is set for the damage estimation terminal 193, and "0.0" is set for the damage prediction terminal 194.

In the record in which the terminal 191 is "terminal C", "1.0" is set for the damage determination terminal 192, "0.0" is set for the damage estimation terminal 193, and "0.0" is set for the damage prediction terminal 194.

In the record in which the terminal 191 is "terminal D", "0.0" is set for the damage confirmation terminal 192, "0.8" is set for the damage estimation terminal 193, and "0.7" is set for the damage prediction terminal 194.

In the record in which the terminal 191 is "terminal E", "0.0" is set for the damage determination terminal 192, "0.3" is set for the damage estimation terminal 193, and "0.9" is set for the damage prediction terminal 194.

In the record in which the terminal 191 is "terminal F", "0.0" is set for the damage determination terminal 192, "0.1" is set for the damage estimation terminal 193, and "0.1" is set for the damage prediction terminal 194.

These pieces of information stored in the damage estimation / damage prediction DB 190 are used when the countermeasure derivation unit 230 takes a countermeasure for each terminal 51.

FIG. 13 shows a configuration example of the impact analysis unit 220. The inputs of the impact analysis unit 220 are eight types of DBs: mission-related activity DB100, detection DB110, activity content DB120, system configuration DB130, vulnerability information DB140, network connectivity DB150, attack pattern DB160, and external knowledge DB170.

The damage estimation relation network construction unit 221 and the damage prediction relation network construction unit 222 calculate the relation network 183 based on the inputs of the DBs 100 to 170. As described above, the related network 183 can include a related network related to the damage estimation terminal and a related network related to the damage prediction terminal. When calculating the related network 183, it is not always necessary to use all of the DBs 100 to 170.

The administrator H2 can browse and operate the calculated relationship network 183 by using the impact analysis user interaction unit 223.

Possible operations of the administrator H2 include, for example, addition and deletion of nodes indicating that they are analysis target terminals, modification of prior probabilities of each node, and modification of conditional probabilities between nodes. The reason why such operation processing is possible is that the knowledge about the attack and the knowledge about the business processing system 50 possessed by the administrator H2 are reflected in the related network 183.

The probability calculation unit 224 uses the related network 183 as an input to calculate the posterior probability that each terminal is a damage estimation terminal and the posterior probability that each terminal is a damage prediction terminal, and stores them in the damage estimation / damage prediction DB 190. The "posterior probability" corresponds to the "probability that the second computer is being attacked".

In calculating posterior probabilities, existing algorithms such as belief propagation may be used. The posterior probabilities may be obtained by combining the prior probabilities and the conditional probabilities in any way. For example, when the prior probability of a terminal X is P_PRE (X), the conditional probability from terminal A to terminal X is P_A (X), and the conditional probability from terminal B to terminal X is P_B (X). The posterior probability P_POST (X) of the terminal X may be obtained as follows.

P_POST (X) = W0 * P_PRE (X) + W1 * P_A (X) + W2 * P_B (X) ... (Equation 1)

Here, in the above equation 1, W0, W1, and W2 are weighting coefficients of each probability. The value of the weighting factor is determined by any means. For example, the value of the weighting coefficient may be stored in a DB or the like in advance.

From the above equation 1, the more general equation 2 below can also be obtained. Any function Fx that satisfies Equation 2 may be defined.

P_POST (X) = Fx (P_PRE (X), P_A (X), P_B (X)) ... (Equation 2)

FIG. 14 shows an example of the processing procedure of the damage estimation related network construction unit 221. In this example, the damage estimation-related network construction unit 221 is based on the mission-related activity DB100, detection DB110, activity content DB120, system configuration DB130, vulnerability information DB140, attack pattern DB160, and external knowledge DB170, and is related to the damage estimation terminal. Build a network. Hereinafter, the names of the DBs in the drawings will be simplified as appropriate.

The processing procedure for constructing the relationship network of the damage estimation terminal is roughly divided into four processing S10, S11, S12, and S13 as described below.

In the process S10, the prior probability that each terminal 51 is a damage estimation terminal is calculated. In the process S11, the conditional probability between the damage-determined terminal and the terminal other than the damage-determined terminal is calculated. In the process S12, the conditional probability between the terminals other than the damage confirmed terminal is obtained. In process S13, the external knowledge is reflected in the related network.

In the prior probability calculation in the process S10, the prior probability is calculated from two points, the importance S101 of the mission and the presence / absence of vulnerability S102. In the process S10, the prior probabilities of the damage estimation terminal are calculated by integrating the results of the S101 and S102.

In the process S101 for calculating the importance of the mission, first, the mission-related DB 100 is referred to, and the importance of each terminal 51 in the mission is calculated. For the importance of the terminal 51, a value having the highest mission importance 105 among the activity contents 104 related to the terminal 51 is set. In the example of FIG. 4, the importance of the terminal A is M, the importance of the terminal B is H, the importance of the terminal C is L, the importance of the terminal D is H, the importance of the terminal E is H, and the importance of the terminal F. The degree is L.

In the process S102 for calculating the presence / absence of vulnerabilities, the presence / absence of vulnerabilities in each terminal 51 is calculated by two values with reference to the system configuration DB 130 and the vulnerability information DB 140. In the examples shown in FIGS. 7 and 8, terminals A and F are "vulnerable", and other terminals B to E are "not vulnerable". However, instead of evaluating the presence or absence of vulnerability by a binary value, it may be evaluated by a value of 3 or more. For example, in the process S102, it is possible to evaluate with three or more values according to the severity of the vulnerability, the number of vulnerabilities possessed by the terminal, and the like.

The process S10 has an arbitrary function F_S10 for mapping the importance of the terminal (S101) and the presence / absence of vulnerability (S102) to the value of the prior probability in the relational network of the damage estimation terminal. For example, the following equation 3 is used.

P_PRE (D) = F_S10 (importance = H, vulnerability = none) ... (Equation 3)

The process S11 calculates the probability of the attack pattern, the process S103 for determining the presence / absence of access, the process S104 for determining the similarity of suspicious activities, the process S105 for determining the similarity of the accessed patterns, and the process S106 for determining the similarity of the system configuration. Based on the calculation process S107, the conditional probability from a certain damage determination terminal to a certain damage estimation terminal is calculated.

In the process S103 for determining the presence / absence of access, the presence / absence of communication access from one terminal to another terminal within the past fixed time is determined based on the detection DB 110 and the activity content DB 120. In FIG. 6, for example, the access from the terminal A to the terminal D and the access from the terminal C to the terminal D are both “accessed”. Here, the presence / absence of access from the terminal A to the terminal D is expressed as F_S103 (A, D).

In the process S104 for obtaining the similarity of suspicious activities, the similarity of suspicious activities performed by two terminals in the past fixed time is obtained based on the detection DB 110 and the activity content DB 120. For example, in FIG. 6, since the terminal D and the terminal A (or the terminal B and the terminal C) start the same process “mal.exe”, it can be determined that the degree of similarity of the suspicious activities is high. The process "mal.exe" is a suspicious activity that does not correspond to a mission activity on terminals A and D.

The similarity of suspicious activity may be obtained by regarding the record of suspicious activity performed at each terminal as a set and using an existing algorithm such as the Jaccard coefficient, or by defining an arbitrary function. You may ask for it. For example, the degree of similarity between the terminal A and the terminal D is expressed as F_S104 (A, D). The calculation formula based on Jaccard has a small amount of calculation, and can reliably catch an attack that performs exactly the same activity on a plurality of terminals.

As another means for determining the similarity (similarity) of suspicious activity, there is a method for determining the synchronization of the occurrence time of suspicious activity performed by two terminals in the past fixed time. In the synchronism calculation, the synchrony of the activity is calculated based on the sum of the minimum differences in the times when the activities of the same type are performed on the two terminals. In this method, only the type and time of the activity are focused on, regardless of the activity content (which process was started, which WEB site was accessed). In the example of FIG. 17A, the terminal B starts the suspicious process at time t0 and t2, and the terminal D starts the suspicious process at time t0'and time t2'. Further, the terminal B performs suspicious WEB communication at time t1, and the terminal D performs suspicious WEB communication at time t1'. Therefore, the sum of the minimum time differences between the two terminals is | t0-t0'| + | t1-t1'| + | t2-t2'|, and the smaller this value, the more similar the suspicious activity between the two terminals. Will be expensive. Therefore, the reciprocal of the total value can be used as the degree of similarity.

More formally, the similarity of suspicious activity based on the synchronization of the occurrence time may be obtained by applying spikeTrain, an existing algorithm for determining the similarity of a plurality of point processes. One of the specific calculation formulas is a formula as shown in FIG. 17 (b). The calculation formula based on synchronism can calculate the degree of similarity even for an attack that changes the activity content according to the terminal.

Further, if there is a difference in the time when the attack is performed between the two terminals, the difference in the occurrence time of the suspicious activity inevitably increases, so that the value of the calculation formula based on FIG. 17B becomes small. Calibration may be performed as a solution to this problem. That is, in the calculation formula, the time when the suspicious activity occurs in one terminal is shifted in increments of a fixed time (for example, 5 minutes), and the maximum similarity is set as the similarity between both terminals. In this case, the shift time may be reflected in the calculation formula. For example, exp (-1 × shift time / TH) is multiplied by the equation in FIG. 17 (b).

Further, the similarity calculated from a plurality of viewpoints may be integrated to calculate the similarity, such as combining the similarity obtained by the Jaccard coefficient and the similarity obtained in FIG. 17B. By combining a plurality of similarities, it is possible to calculate the similarity with higher accuracy. A general method for calculating one objective variable from a plurality of explanatory variables, such as a weighted sum, can be applied to the combination formula.

Further, in order to prevent erroneous detection, when the number of terminals whose similarity exceeds a certain threshold value exceeds a certain number, those terminals may be collectively determined as a damage estimation terminal. This method is particularly effective when the assumed threat is an attacker who attacks a plurality of terminals at the same time.

Further, as described above, the similarity calculation is performed at the time when the attack is detected (when the damage confirmed terminal is detected). Therefore, if an attack is detected early, the amount of attack activity (the number of suspicious activities caused by the attack) at the time of detection is small, which may affect the performance of similarity determination. However, it is not preferable to leave the damage-determined terminal untouched in order to record the attack activity. As a solution to this problem, a decoy terminal (honeypot terminal) that attracts attackers is installed in the network in advance, and the activity of the attack on the decoy terminal is recorded to acquire the amount of suspicious activity required for similarity judgment. There is a way to do it.

In the process S105 for obtaining the similarity of the accessed patterns, the communication port used when a certain terminal was accessed from the damage-determined terminal and the communication port used when the other terminal was accessed from the other damage-determined terminal. The ratio of matching with the communication port is determined based on the detection DB 110 and the activity content DB 120.

In the example of FIG. 6, comparing the terminal B and the terminal E, the port 80 accessed by the terminal B from the terminal A is also accessed by the terminal D. Terminal D is also accessed from terminal A via port 80. Therefore, the degree of similarity between the accessed patterns is high between the terminal B and the terminal D. Here, the similarity between the accessed pattern of the terminal B and the accessed pattern of the terminal D is expressed as F_S105 (B, D).

In the process S106 for obtaining the similarity of the system configuration, the degree of similarity of the system configuration between the two terminals is obtained based on the detection DB 110 and the system configuration DB 130. For example, in FIG. 7, terminal A and terminal D use the same operating system (OS-1) and the same application (APP-1). Therefore, the degree of similarity of the system configurations of both terminals A and D is high. The similarity of the system configuration may be obtained by regarding the system configuration of each terminal as a set and using an existing algorithm such as a Jaccard coefficient, or by defining an arbitrary function. For example, the degree of similarity between the system configurations of the terminal A and the terminal D is expressed as F_S106 (A, D).

In the process S107 for calculating the probability of the attack pattern, when a certain terminal is attacked, the probability that another terminal is attacked is obtained based on the attack pattern between the terminals. The detection DB 110 and the attack pattern DB are used for the probability calculation. In the example of FIG. 10, when the terminal C is attacked, the probability that the other terminal E is attacked after that is 0.4. This is defined as F_S107 as a function, and is expressed as F_S107 (A, D) = 0.4.

In the process S11, the conditional probability P_X (Y) between the damage determination terminal X and the damage estimation terminal Y is set to an arbitrary function F_Cond1 based on the calculation results in each of the above processes S103, S104, S105, S106, and S107. Is obtained as follows using.

P_X (Y) = F_Cond1 (F_S103 (X, Y), F_S104 (X, Y), F_S105 (X, Y), F_S106 (X, Y), F_S107 (X, Y)) ... (Equation 4)

F_cond1 may be, for example, the following linear function.

F_cond1 = Wc * F_S103 (X, Y) + Wd * F_S104 (X, Y) + We * F_S105 (X, Y) + Wf * F_S106 (X, Y) + Wg * F_S107 (X, Y) ... (Equation 5)

Here, Wc, Wd, We, Wf, and Wg are weighting coefficients of each element, and are determined by any means.

The process S12 is a process S103 for determining the presence / absence of access, a process S104 for determining the similarity of suspicious activities, a process S105 for determining the similarity of accessed patterns, a process S106 for determining the similarity of system configurations, and a process S107 for determining the probability of an attack pattern. Based on the above, the conditional probability P_X (Y) from a certain damage estimation terminal to another certain damage estimation terminal is obtained as follows using an arbitrary function F_Cond2.

P_X (Y) = F_Cond2 (F_S103 (X, Y), F_S104 (X, Y), F_S105 (X, Y), F_S106 (X, Y), F_S107 (X, Y)) ... (Equation 6)

F_cond2 may be, for example, the following linear function.

F_cond1 = Wc * F_S103 (X, Y) + Wd * F_S104 (X, Y) + We * F_S105 (X, Y) + Wf * F_S106 (X, Y) + Wg * F_S107 (X, Y) ... (Equation 7)

Wc, Wd, We, Wf, and Wg are weighting coefficients of each element and are determined by any means (the same applies hereinafter).

In the process S13, the process S108 reflecting the external knowledge modifies the prior probabilities and the conditional probabilities obtained up to the process S12 with reference to the external knowledge DB 170. For example, if there is an expert's knowledge that "a terminal that has attacked terminal A has a high probability of attacking terminal D after that", the processing S108 increases the value of the conditional probability from terminal A to terminal D.

FIG. 15 shows an example of the processing procedure of the damage prediction related network construction unit 222. In this example, the damage prediction-related network construction unit 222 is based on the mission-related activity DB100, detection DB110, activity content DB120, system configuration DB130, vulnerability information DB140, network connectivity DB150, attack pattern DB160, and external knowledge DB170. Build a related network of damage estimation terminals.

The processing procedure is roughly divided into four as described below. In the process S20, the prior probability that each terminal is a damage prediction terminal is calculated. In the process S21, the conditional probability between the damage-determined terminal and the terminal other than the damage-determined terminal is calculated. In the process S22, the conditional probability between the terminals other than the damage confirmed terminal is obtained. In process S23, the external knowledge is reflected in the related network.

Since the calculation of the prior probability in the process S20 is the same as that in the process S10 described with reference to FIG. 14, the description thereof will be omitted. In FIG. 15, the code of the process S101 is changed to S201 and the code of the process S102 is changed to S202, but the contents are the same. Further, the codes of the processes S106, S107, and S108 are also changed to S206, S207, and S208, but the contents are the same.

The process S21 is based on the process S203 for determining the presence or absence of connectivity, the process S204 for determining the existence of the estimated access means, the process S206 for determining the similarity of the system configuration, and the process S207 for calculating the probability of the attack pattern. Calculate the conditional probability from the damage confirmation terminal to a certain damage prediction terminal.

The process S203 for determining the presence or absence of connectivity determines whether or not communication is possible between a certain two terminals by using the network connectivity DB 150. In the example of FIG. 9, since communication from the terminal A to the terminal E is possible, it can be expressed as F_S203 (terminal A, terminal E) = "Yes". The function may be in the form of returning an arbitrary numerical value such as 1.0.

In the process S204 for requesting the existence of the estimated access means, the mission-related DB100, the detection DB110, and the activity content 120 are referred to, and the access means is similar to the access means that occurred to the damage confirmed terminal in the past within a certain time from the time of the attack detection. Judge whether the damage prediction terminal has the access means of the above as a mission-related activity.

In the example of FIG. 6, terminal B, which is a damage-determined terminal, is accessing port 80, whereas in the example of FIG. 4, terminal E, which is a damage prediction terminal, also opens port 80 as a mission. Therefore, the function F_S203 can be used to express F_S203 (terminal A, terminal E) = "yes". The function may be in the form of returning an arbitrary numerical value such as 1.0.

In the process S21, based on the calculation results in S203 (presence / absence of connectivity), S204 (existence of estimated access means), S206 (similarity of system configuration), and S207 (probability of attack pattern), the damage determination terminal X and The conditional probability P_X (Y) between the damage prediction terminals Y is obtained as follows using an arbitrary function F_Cond3.

P_X (Y) = F_Cond3 (F_S203 (X, Y), F_S204 (X, Y), F_S206 (X, Y), F_S207 (X, Y)) ... (Equation 8)

F_cond3 may be, for example, the following linear function.

F_cond3 = Wi * F_S203 (X, Y) + Wj * F_S204 (X, Y) + Wf * F_S206 (X, Y) + Wg * F_S207 (X, Y) ... (Equation 9)

The process S22 is based on a process S203 for determining the presence or absence of connectivity, a process S204 for determining the existence of an estimated access means, a process S206 for determining the similarity of system configurations, and a process S207 for determining the probability of an attack pattern. Calculates the conditional probability to other damage prediction terminals from.

The process S205 for requesting the existence of similar access means refers to the mission-related activity DB 100 and the detection DB 110, and determines whether or not there is a similar access means between the two damage prediction terminals.

In the example of FIG. 4, since there is no damage prediction terminal that provides the same access means as the terminal E that opens the 80th port, F_S205 (terminal E, terminal D) = F_S205 (terminal E, terminal F) = It becomes "nothing". The function may be in the form of returning an arbitrary numerical value such as 1.0.

In the process S22, the conditional probability P_X (Y) between the damage prediction terminal X and the other damage prediction terminal Y is determined by using an arbitrary function F_Cond4 based on the calculation results in S203, S205, S206, and S207. Obtain as follows.

P_X (Y) = F_Cond4 (F_S203 (X, Y), F_S205 (X, Y), F_S206 (X, Y), F_S207 (X, Y)) ... (Equation 10)

F_cond3 may be, for example, the following linear function.

F_cond3 = W * F_S203 (X, Y) + Wk * F_S205 (X, Y) + Wf * F_S206 (X, Y) + Wg * F_S207 (X, Y) ... (Equation 11)

The reflection of the external knowledge in the process S23 is the same as in the process S13, and is therefore omitted.

FIG. 16 is an example of the screen G1 that provides the calculation result of the influence analysis unit 220. The impact analysis result screen G1 provides information on the damage estimation terminal and the damage prediction terminal existing in the business processing system 50 to the administrator H2 and the like. The administrator H2 can also operate a part of the calculation result of the impact analysis unit 220 from the impact analysis user interaction unit 223 through the screen G1.

The information providing unit regarding the damage estimation terminal includes a display unit GP11 that displays detailed information about the related network of the damage estimation terminal, and a display unit GP12 that displays the related network of the damage estimation terminal as a graph.

The information providing unit regarding the damage prediction terminal has a display unit GP13 that displays detailed information about the related network of the damage prediction terminal and a display unit GP14 that displays the related network of the damage prediction terminal as a graph.

The administrator H2 can also manually change the value of the conditional probability as indicated by the pointer 186. Further, the administrator H2 can also manually change the value of the prior probability in the node as shown by the pointer 189. However, the administrator H2 cannot change the probability of the damage confirmed terminal.

According to the present embodiment configured as described above, in the business processing system 50 including a plurality of terminals 51, the range of damage caused by an attack across a plurality of terminals can be analyzed more accurately than before, and the business processing can be performed. The management efficiency of the system can be improved.

Furthermore, according to this embodiment, it is possible to analyze the effects of so-called targeted attacks and malware activities, and to derive and implement countermeasures against those attacks and activities. Therefore, the reliability of the business processing system 50 can be improved.

Further, according to this embodiment, since the importance of the mission in business processing is defined for each terminal 51 constituting the business processing system 50, the range of influence of the attack can be analyzed according to the importance of the mission. , It is possible to derive and implement a coping method that considers the importance of the mission.

The present invention is not limited to the above-described embodiment. Those skilled in the art can make various additions and changes within the scope of the present invention. In the above-described embodiment, the configuration is not limited to the configuration example shown in the accompanying drawings. The configuration and processing method of the embodiment can be appropriately changed within the range of achieving the object of the present invention.

In addition, each component of the present invention can be arbitrarily selected, and an invention having the selected configuration is also included in the present invention. Further, the configurations described in the claims can be combined in addition to the combinations specified in the claims.

10: Mission guarantee device, 20: Network sensor, 30: Terminal sensor, 40: Communication network, 50: Business processing system, 51: Terminal, 200: Mission-related activity derivation unit, 210: Detection unit, 220: Impact analysis unit, 221: Damage estimation relation network construction department 222: Damage prediction relation network construction department 223: Impact analysis user interaction department 224: Probability calculation department, 230: Countermeasure derivation department, 240: Countermeasure implementation department 221

Claims (14)

A business processing system monitoring device that monitors a business processing system that includes multiple computers.
The activity management department that manages the activities executed by the plurality of computers in relation to business processing and the importance of the activities,
A detector that detects attacks on each computer,
The effect of an attack on any one or more of the computers based on the importance of the information processing activity executed by each computer, the system configuration of each computer, and the detection result by the detection unit. Impact analysis department that analyzes
A business processing system monitoring device equipped with. The impact analysis unit detects the first computer in which the attack is detected and the second computer that has not been detected but may be attacked, and the second computer is attacked. Calculate the probability of
The business processing system monitoring device according to claim 1. The impact analysis department
Based on the importance of the information processing activity, the prior probability that each computer is the second computer is calculated, and further,
Based on the similarity with the system configuration of the first computer, the conditional probability that each computer is the second computer is calculated.
The probability that the second computer is being attacked is calculated from the prior probability and the conditional probability.
The business processing system monitoring device according to claim 2. The influence analysis unit calculates the conditional probability that each computer is the second computer based on the similarity with the information indicating the behavior of the first computer.
The business processing system monitoring device according to claim 3. The impact analysis unit determines the presence or absence of a vulnerability in each computer by comparing the vulnerability information indicating the relationship between the computer system configuration and the vulnerability with the system configuration of each computer, and determines the presence or absence of the vulnerability. Based on the determination result regarding the presence or absence of sex, the conditional probability that each computer is the second computer is calculated.
The business processing system monitoring device according to claim 4. The impact analysis unit determines the presence / absence of communication access between the computers using the information regarding the presence / absence of communication access between the computers, and based on the determination result, the computers make the first. 2 Calculate the conditional probability of being a computer,
The business processing system monitoring device according to claim 5. The impact analysis unit calculates the conditional probability that each computer is the second computer based on the information indicating the attack pattern between the computers.
The business processing system monitoring device according to claim 6. The influence analysis unit calculates the posterior probability that each computer is the second computer by using the belief propagation method based on the prior probability and the conditional probability.
The business processing system monitoring device according to claim 3. The impact analysis unit further detects a third computer among the computers that may be attacked in the future, and calculates the probability that the third computer will be attacked in the future.
The business processing system monitoring device according to claim 8. The impact analysis department
Based on the importance of the information processing activity, the prior probability that each computer becomes the third computer is calculated.
Using the information regarding the presence / absence of communication access between the computers, the presence / absence of communication access between the computers is determined.
Based on the determination result regarding the presence or absence of the communication access and the similarity with the system configuration with the first computer, the conditional probability that each computer becomes the third computer is calculated.
From the prior probability and the conditional probability, the probability that the third computer will be attacked in the future is calculated.
The business processing system monitoring device according to claim 9. The impact analysis unit generates an impact analysis result screen that displays the results of the impact analysis.
On the impact analysis result screen,
Graphical elements corresponding to the first, second, and third computers, and
A line indicating that it is a related computer,
Probability values for the first, second, and third computers and
The value of the probability for the line and
Is displayed,
At least one of the graphic element, the line, and the value of the probability can be changed by a user's instruction.
The business processing system monitoring device according to claim 10. Further, a coping derivation unit for determining a coping method for protecting the second computer and the third computer is provided.
The coping derivation unit
Based on the probability that the second computer has been attacked, a method for dealing with the attack on the second computer is determined.
Determine how to deal with an attack on the third computer based on the probability that the third computer will be attacked in the future.
The business processing system monitoring device according to claim 11. A business processing system monitoring method that monitors a business processing system including multiple computers with a monitoring device.
The monitoring device is
It manages the activities executed by the multiple computers related to business processing and the importance of those activities.
A detection step that detects an attack on each computer,
The effect of an attack on any one or more of the computers based on the importance of the information processing activity executed by each computer, the system configuration of each computer, and the detection result by the detection step. With an impact analysis step to analyze,
Business processing system monitoring method. A computer program for realizing a business processing system monitoring device that monitors a business processing system including a plurality of computers.
An activity that is executed on the plurality of computers in relation to business processing and an importance management function that manages the importance of the activity, and
A detection function that detects attacks on each computer,
The effect of an attack on any one or more of the computers based on the importance of the information processing activity executed by each computer, the system configuration of each computer, and the detection result by the detection function. With the impact analysis function to analyze
A computer program to be realized on a computer.

Images